Google Workspace (formerly G Suite) is a powerful suite of collaboration and productivity software, but to get full visibility you’ll need to monitor the logs it produces.
A security information and event management (SIEM) platform can help achieve that, but it’s essential to find one that will play nicely with your existing Google Workspace environment. Google Chronicle promises to do that, but falls short in other areas.
Let’s discuss how to select a SIEM for Google Workspace.
What Is Google Workspace?
Google Workspace is a suite of productivity tools, including Gmail, Google Drive, Calendar, Meet, Chat, Docs, Sheets, Slides, Forms and Sites. Google Workspace was previously branded as G Suite, but the company changed the name to Workspace in 2020. Prior to 2016, G Suite was known as “Google Apps” or “Google Apps For Your Domain.”
Why Do You Need a SIEM For Google Workspace?
With over 6 million paying business customers (Abdalslam), Google Workspace is an extremely popular collaboration software. For the businesses that rely on it, Google Workspace is a wealth of critical information, from financial data to confidential emails.
Although the exact number is unknown, experts believe that Google stores 10 to 15 exabytes of data on its servers worldwide, according to MakeUseOf. To put that in perspective, an exabyte is a million terabytes.
The increasing volume of critical data stored within Google Workspace — combined with its rising popularity — makes it a prime target for cyberattacks such as ransomware, malware and more. Additionally, a distributed workforce makes it more difficult for IT and security teams to maintain visibility. The rise of remote work in 2020 coincided with a rise in attacks; Google warned its users of 33,000 state-sponsored cyberattacks that year.
Admins could miss potential security risks without monitoring logs. For example, a user that sets up an email forwarding rule to forward email to an external address could be benign, or it could be a threat actor’s attempt to maintain persistence in an environment.
Continuous monitoring is nearly impossible without a centralized repository for those logs. Without a SIEM for Google Workspace, IT and security teams would need to sift through and interpret hundreds of thousands of raw logs. Sending those logs to a centralized location like a SIEM helps to maintain visibility.
Is Google Workspace Secure?
Google is a security-first company, and bakes that philosophy into each of its products, Google Workspace included. As far as productivity suites go, Google Workspace is one of the most secure on the market.
Google “has made security the cornerstone of [its] product strategy,” the company said as it pledged in 2021 to commit $10 billion to advance cybersecurity. In September 2022, Google acquired cybersecurity firm Mandiant to invest in cloud security.
All Google Workspace plans come with security settings out-of-the-box that can provide basic protection at no extra cost:
- All data is encrypted using HTTPS during transmission and 256-bit AES encryption when stored
- Support for multi-factor authentication
- Google conducts regular, third-party security audits and vulnerability testing
- Compliant with several frameworks, including ISO/IEC 27001, FedRAMP and SOC 3
- Admins can track user actions and set custom alerts
- Control access and permissions using Security Groups
- Data loss prevention (DLP) rules to define and protect sensitive content
That being said, Google, like all cloud storage providers, operates under the shared responsibility model, which means that the onus to secure data is not just on Google — it’s on you, too. Solely relying on a cloud provider can lead to a false sense of security, causing you to overlook other vital aspects of cybersecurity, such as user education, strong password policies, and regular software updates. Plus, cloud computing comes with its own set of risks, including data loss, API vulnerabilities, and misconfigurations.
No single security product can offer complete protection; a layered security approach utilizing various products and technologies is crucial to minimize the risk of successful cyberattacks. Third-party security products may provide advanced features like sandboxing or behavior-based detection to help identify and stop sophisticated attacks—capabilities that Google Workspace might not have or may not be as robust.
Relying on Google Workspace’s built-in features is simply not enough for today’s emerging security threats. A SIEM correlates and alerts on all of the data from disparate data sources — including firewalls, cloud apps, on-premises apps, identity management, and an endpoint detection and response (EDR) platform — to provide a holistic view of your environment.
Evaluating a SIEM for Google Workspace
Google integrates with a variety of SIEM solutions, including Panther, LogSentinel, LogRhythm, and Blumira. But no SIEM solution is one-size-fits-all; organizations should find a platform that best fits their specific needs, budget and use cases.
When evaluating a SIEM for Google Workspace, organizations should consider:
- Retention policies. Organizations that need to comply with frameworks such as PCI DSS or HIPAA must retain logs for a certain period of time. Google Workspace stores many log types — including admin log event data and audit log data — for 6 months, which means that compliance-seeking organizations should look for a SIEM that would help meet their specific requirements.
- Ease of use. Many SIEM vendors integrate with Google Workspace, but the integrations range in complexity; simpler integrations may use API connections while others require more heavy lifting, including parsing, querying, and more. More traditional SIEMs require months of setup time and lots of ongoing maintenance.
- Cost. Like most technology decisions, the best SIEM for your organization depends on your budget. Traditional SIEM platforms can cost between $5,000 – $10,000 per month for a medium or large-scale SIEM implementation. For smaller teams and budgets, look for a more affordable option with predictable pricing that’s not based on log ingestion.
What About Google Chronicle?
Google Chronicle is Google’s cloud-native SIEM. Initially an internal security tool created through Google’s Project X Moonshot division, it became available to purchase in 2018.
Just a year after its initial launch, Motherboard published an article titled ‘Chronicle Is Dead and Google Killed It,’ which detailed a tumultuous backstory about the company’s vision with the departure of Chronicle’s original CEO, chief security officer and chief technology officer.
Company politics aside, Chronicle is a robust product built for organizations with advanced security needs. As a traditional SIEM, it is geared towards enterprises with a security operations center (SOC) and requires significant security expertise to run. It’s also priced similarly to other enterprise SIEM solutions, which often start at around $100,000 per year.
An option for more niche use cases is to run Blumira alongside Google Chronicle. Small IT teams that want to use Chronicle for data investigation but are unable to build detections they need en masse can work with Blumira’s Incident Detection Engineering team. We have a set of pre-defined detections as well as can help to build custom detections and respond to incidents in a timely manner.
How Blumira SIEM Integrates With Google Workspace
Blumira is part of the Google Cloud Partner Advantage Program, which means that we are certified by Google to successfully deliver their products to customers.
- Install a Blumira sensor with Ubuntu
- Create a Google Cloud Platform project, which requires finding your client ID
- Enable Google APIs via the Google Admin SDK
- Link APIs to Google Workspaces
Once you configure Blumira with Google Workspace, Blumira streams security events and Workspace logs to its platform to parse, analyze and correlate data for automated threat detection and response.
Blumira detects and alerts IT teams of Google Workspace activity in near real-time, including when users download or externally share Google documents that may present an exposure risk to internal information.
An example alert can be found below, sent via email to our administrators when a user shared a document with an external participant:
Below you can see another example of a similar detection and response workflow in the responder view of Blumira’s platform:
In this example finding, external document shares are categorized as a data exfiltration threat, at level Priority 3. Data exfiltration refers to when an adversary is trying to steal data, typically following other attacker tactics like discovery, lateral movement, etc.
If data is leaving your network (unauthorized), it means you’ve had an intrusion, and it indicates that earlier protective measures prior to exfiltration failed to detect or prevent against stolen data.
Along with the detection, Blumira’s platform provides pre-built security playbooks to walk your team through next steps and response, as well as additional stacked evidence for further investigation or reporting/compliance purposes – information such as the timestamp of the detection, actor email address (who did the sharing of the doc), document title, type, event name and target email (who the doc was shared with).
Blumira also detects identity-related incidents, such as Google Workspace admin role changes or multiple user account login failures that could potentially indicate repeated access attempts by an attacker with malicious intent.
Blumira’s cloud-based SIEM with threat detection and response is built for small and under-resourced teams. We do things differently by providing more value for better cybersecurity outcomes, including:
- Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, developing threat intelligence, and testing and tuning detection rules to reduce noisy alerts.
- Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
- Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.
Blumira’s Free Edition can be configured and set up in about 10 minutes, and you’ll have access to our detection rules written by experienced Incident Detection Engineers. You’ll be able to see and respond to suspicious activity for free.